System role attestation
Installed modules: |
System Roles Module |
If you attest memberships in system roles, you can use the QER | Attestation | AutoRemovalScope | ESetAssignment configuration parameter to configure the automatic removal of system roles. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the system role.
Table 45: Effect of configuration parameters when attestation denied
QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDirect |
Direct membership in the system role is removed.
This removes all indirect assignments obtained by the identity through this system role. |
QER | Attestation | AutoRemovalScope | ESetAssignment | RemovePrimaryRole |
If the system role was inherited through a primary role, the role is withdrawn.
This removes all indirect assignments obtained by the identity through this role. |
QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveRequestedRole |
If the system role was inherited through a requested role, the role request is canceled or unsubscribed.
This removes all indirect assignments obtained by the identity through this role.
Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements. |
QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDelegatedRole |
If the system role was inherited through a delegated role, the delegation of this role is canceled or unsubscribed.
This removes all indirect assignments obtained by the identity through this role.
Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements. |
QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveRequested |
If the system role was requested through the IT Shop, the request is canceled or unsubscribed.
This removes all indirect assignments obtained by the identity through this system role.
Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements. |
QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDirectRole |
If the system role was inherited through a secondary role (organization or business role), the identity's membership is removed from this role.
This removes all indirect assignments obtained by the identity through this role. |
QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDynamicRole |
If the system role was inherited through a dynamic role, the identity is excluded from the dynamic role.
This removes all indirect assignments obtained by the identity through this role. |
If you attest assignments to system roles, you can use the QER | Attestation | AutoRemovalScope | ESetHasEntitlement configuration parameter to configure automatic removal of assignments.
Table 46: Effect of configuration parameters when attestation denied
QER | Attestation | AutoRemovalScope | ESetHasEntitlement | RemoveDirect |
Assignment of the company resource to a system role is removed. |
QER | Attestation | AutoRemovalScope | ESetHasEntitlement | RemoveRequested |
Assignment of the company resource to a system role requested by assignment request is unsubscribed. |
If you attest system role assignments to hierarchical roles, you can use the following configuration parameters to configure automatic removal of system roles.
Table 47: Effect of configuration parameters when attestation denied
QER | Attestation | AutoRemovalScope | DepartmentHasESet | RemoveDirect |
The assignment of the system role to a department is removed.
Therefore the system role is removed from all identities that inherit assignments from this department. |
QER | Attestation | AutoRemovalScope | ProfitCenterHasESet | RemoveDirect |
The assignment of the system role to a cost center is removed.
Therefore the system role is removed from all identities that inherit assignments from this cost center. |
QER | Attestation | AutoRemovalScope | LocalityHasESet | RemoveDirect |
The assignment of the system role to a location is removed.
Therefore the system role is removed from all identities that inherit assignments from this location. |
QER | Attestation | AutoRemovalScope | OrgHasESet | RemoveDirect |
The assignment of the system role to a business role is removed.
Therefore the system role is removed from all identities that inherit assignments from this business role. |
Application role attestation
If you attest memberships in application roles, you can use the QER | Attestation | AutoRemovalScope | AERoleMembership configuration parameter to configure automatic removal of application roles. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the application role.
Table 48: Effect of configuration parameters when attestation denied
QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDirectRole |
The identity's secondary membership is removed from the application role.
This removes all indirect assignments obtained by the identity through this application role. Membership in dynamic roles is not removed in this process. |
QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveRequestedRole |
If the identity requested the application role through the IT Shop, the request is canceled or unsubscribed.
This removes all indirect assignments obtained by the identity through this application role.
Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements. |
QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDelegatedRole |
If the application role was delegated to the identity, delegation is canceled or unsubscribed.
This removes all indirect assignments obtained by the identity through this application role.
Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements. |
QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDynamicRole |
The identity is excluded from the application role's dynamic role.
This removes all indirect assignments obtained by the identity through this application role. This does not remove memberships in the application role that were created in another way. |
Business role attestation
Installed modules: |
Business Roles Module |
If you attest memberships in business roles, you can use the QER | Attestation | AutoRemovalScope | RoleMembership configuration parameter to configure automatic removal of business roles. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the business role.
Table 49: Effect of configuration parameters when attestation denied
QER | Attestation | AutoRemovalScope | RoleMembership | RemoveDirectRole |
The identity's secondary membership in the business role is removed.
This removes all indirect assignments obtained by the identity through this business role. Membership in dynamic roles is not removed by this. |
QER | Attestation | AutoRemovalScope | RoleMembership | RemoveRequestedRole |
If the identity requested the business role through the IT Shop, the request is canceled or unsubscribed.
This removes all indirect assignments obtained by the identity through this business role.
Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements. |
QER | Attestation | AutoRemovalScope | RoleMembership | RemoveDelegatedRole |
If the business role was delegated to the identity, delegation is canceled or unsubscribed.
This removes all indirect assignments obtained by the identity through this business role.
Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements. |
QER | Attestation | AutoRemovalScope | RoleMembership | RemoveDynamicRole |
The identity is excluded from the business role's dynamic role.
This removes all indirect assignments obtained by the identity through this business role. This does not remove memberships in the business role that were created in another way. |
Configuring sample attestation of identities and their entitlements
The Identity attestation default policy collection combines all default attestation policies to attest identities along with all their entitlements and memberships. The policy collection is assigned to a default sample that you use to specify which identities to attest.
To set up comprehensive attestation of selected identities
-
Manually assign the identities to be attested to the Individual selection of identities sample.
-
Create a schedule and assign it to the Identity attestation policy collection. By doing this, you replace the schedule assigned by default.
Related topics